ownCloud - Information Disclosure (CVE-2023-49103)
2291Exploiting IPs reported
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
CrowdSec analysis
CVE-2023-49103 is a critical vulnerability affecting ownCloud, where an exposed endpoint can leak detailed PHP configuration information, including sensitive environment variables that may contain credentials or license keys.
CrowdSec has been tracking this vulnerability and its exploits since 28th of November 2023.
CrowdSec network data shows that most actors exploiting CVE-2023-49103 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. In addition, according to the CrowdSec network, attack volume against CVE-2023-49103 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.
Observed exploitation attempts are directed at the endpoint that serves PHP environment details, potentially revealing sensitive information to unauthorized parties.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.